May 2017

May 31, 2017

Perhaps we've been going about malware detection the wrong way. At least that is the conclusion of a new study from the Georgia Institute of Technology.

By analyzing network traffic going to suspicious domains, security administrators could detect malware infections weeks or even months before they're able to capture a sample of the invading malware. The findings point toward the need for new malware-independent detection strategies that will give network defenders the ability to identify network security breaches faster.

Malware invaders generally need to communicate with their command and control computers, creating network traffic that can be detected and analyzed. Having an earlier warning of developing malware infections could enable quicker responses and potentially reduce the impact of attacks, the study's researchers say.

"Our study shows that by the time you find the malware, it's already too late because the network communications and domain names used by the malware were active weeks or even months before the actual malware was discovered," said Manos Antonakakis, an assistant professor in the School of Electrical and Computer Engineering at the Georgia Institute of Technology. "These findings show that we need to fundamentally change the way we think about network defense."

Traditional defenses depend on the detection of malware in a network. While analyzing malware samples can identify suspicious domains and help attribute network attacks to their sources, relying on samples to drive defensive actions gives malicious actors a critical time advantage to gather information and cause damage. "What we need to do is minimize the amount of time between the compromise and the detection event," Antonakakis noted.

The research, presented May 24th at the 38th IEEE Security and Privacy Symposium in San Jose, California, was supported by the U.S. Department of Commerce, the National Science Foundation, the Air Force Research Laboratory and the Defense Advanced Research Projects Agency. The project was done in collaboration with EURECOM in France and the IMDEA Software Institute in Spain – whose work was supported by the regional government of Madrid and the government of Spain.

The study analyzed more than five billion network events from nearly five years of network traffic carried by a major U.S. internet service provider (ISP). The researchers also studied domain name server (DNS) requests made by nearly 27 million malware samples, and examined the timing for the re-registration of expired domains – which often provide the launch sites for malware attacks.

Because certain networks are more prone to abuse, looking for traffic into those hot spot networks was potentially a good indicator of an infection. The researchers also found that requests for dynamic DNS often related to bad activity, as these frequently correlate with services used by hackers because they provide free domain registrations and the ability to add quickly add domains.

The researchers had hoped that the registration of previously expired domain names might provide a warning of impending attacks. But they found there was often a lag of months between when expired domains were re-registered and when attacks from them began.

The research required development of a filtering system to separate benign network traffic from malicious traffic in the ISP data. The researchers also conducted what they believe is the largest malware classification effort to date to differentiate the malicious software from potentially unwanted programs (PUPs). To study similarities, they assigned the malware to specific "families." By studying malware-related network traffic seen by the ISPs prior to detection of the malware, the researchers were able to determine that malware signals were present weeks and even months before new malicious software was found.

In all, the researchers found more than 300,000 malware domains that were active for at least two weeks before the corresponding malware samples were identified and analyzed. Obviously, network administrators must have information about normal network traffic so they can detect the abnormalities that may signal a developing attack. While many aspects of an attack can be hidden, malware must always communicate back to those who sent it.

The study may well lead to development of new defense strategies, where we stop looking for malware and instead analyze network traffic. Very likely this will be the next generation of cyber defense.

May 30, 2017

It doesn't seem fair really. XP got all the publicity and it turned out WannaCry couldn't remotely infect XP nearly as effectively (if at all) as Windows 7.

As SC Media reported, it is still a bad idea to use XP. It's no longer supported, has a long history of being exploited, and the latest versions of Windows are far more secure. But somehow, XP was made a scapegoat when so many more Windows 7 computers were infected because they hadn't been patched against the Windows SMB vulnerability that WannaCry exploited.

Like countless attacks before it, WannaCry had no trouble spreading because so many unpatched systems had their port 445 open to the outside. Once again, if I had a dollar for every time "failure to patch" was at fault, I would be wealthy beyond imagination.

WannaCry spread because of a vulnerability in Windows Server Message Block (SMB) service, which Windows computers use to share files and printers across local networks. It's the same type of old-school vulnerability that allowed worms like Slammer and Conficker to spread around the globe more than a decade ago.

Microsoft addressed the issue in its MS17-010 bulletin in March, but companies using older, no-longer-supported versions of the operating system wouldn't have seen it unless they were signed up for custom support, Microsoft's special extended – and paid-for – support.

Microsoft has begun phasing out Windows 7, though it continues to offer limited extended support options for business customers. Windows 7 Service Pack 1 will expire in two and a half years' time, on January 14, 2020. Even so, Windows 7 remains in heavy use and, as the WannaCry outbreak demonstrated, many of those systems are not getting patched in a timely manner.

The equation is simple: Unpatched Windows 7 + port 445 open = trouble. Once a single device was compromised, the attack spread like wildfire.

During its investigation, SophosLabs confirmed that systems most at risk in the attack had been running unpatched versions of SMB on Windows 7. That's why the usual advice is to not have open 445 ports looking to the outside.

During testing, SophosLabs found that XP wasn't the effective conduit for infection via the EternalBlue SMB exploit that many thought it was, while Windows 7 was easily infected. The research showed that WannaCry ransomware can affect XP computers – but not via the SMB worm mechanism, which was the major propagation vector for WannaCry.

Various security companies arrived at a similar conclusion, putting the infection rate among Windows 7 computers at between 65% and 95%. SophosLabs puts that number even higher - its analysis of endpoint data for the three days that followed the outbreak showed that Windows 7 accounted for nearly 98% of infected computers.

That percentage came as a surprise, since XP was almost universally cited as the exploited operating system. Microsoft even took the highly unusual step of making a security update for platforms in custom support (such as Windows XP) available to everyone.

SophosLabs offered some possibilities explaining why XP was harder to infect, but acknowledges that it – and others – are not yet fully confident in their theories.

But no matter. The lesson is patch, patch, patch, but there are caveats. Some IT personnel hold back some patches because they need to tweak their systems for compatibility. Otherwise, they risk deploying a patch that breaks other programs. Meanwhile, some organizations have continued to use old versions of Windows because they lack the financial and human resources to upgrade or their legacy systems aren't yet equipped to work with Windows 10 or other modern operating systems.

The best advice is still for organizations to keep their patching up to date and to use current versions of Windows. Or, if you must continue using older versions for compatibility reasons, sign up for Microsoft custom support so you continue to receive security updates. Equally important? Set your firewalls to block access to port 445. If you haven't checked on whether this has been done, now would be an excellent time.

May 25, 2017

It is always worth watching my friend Bob Ambrogi whose finger is always on the pulse of legal tech. His LawSites blog reported yesterday that the legal research service Ravel Law had announced the launch of a new feature, Firm Analytics, that provides insights on law firms' litigation histories that can be used for competitive intelligence and research into firms' litigation activity.

Rank and compare firms by their case volume and motion win rate across more than 30 practice areas and specific venues.

Create custom comparisons and reports using an array of variables.

Firm Analytics can be used both by law firms and by in-house counsel to gain insights into firms' experience and performance. Imagine how the old notion of "beauty contests" will be altered by easily acquired statistics. No one will want to "show poorly" – that's for darn sure.

May 24, 2017

Legaltech news (sub. req.) reported that, last week, the Florida law firm of Shutts & Bowen successfully defended itself against the ransomware WannaCry before it encrypted any of the firm's data. In and of itself, this is not remarkable. Law firms are increasingly striving to protect their confidential data and to assure their clients that they have done so. Shutts & Bowen is a Florida law firm of more than 270 attorneys, according to its website.

As the firm notes, it has technology in place where spear phishing attacks are almost always quarantined by its technology. Since we know now that WannaCry was a worm, it must have had other measures in place to protect against WannaCry.

The specifics are less important than the firm's obvious focus on cybersecurity. Last year, Shutts hired a full-time cybersecurity expert and joined the Legal Services Information Sharing and Analysis Organization, or LS-ISAO, which shares information about cyber threats among member law firms.

The firm hired a cybersecurity consulting company to carry out a cyberattack to reveal vulnerabilities at the firm. At firm offices, the company dropped USB drives with labels such as "associates salaries" and "payroll." But the USBs held a program that, when plugged in, would alert the consultant that it had infected the system. In our parlance, this is called "baiting" - and it is remarkable how many people fall for it.

The company also conducted mock spear phishing attacks. The consulting firm sent an e-mail purporting to be from a managing partner to a specific person in payroll requesting a list of all the firm's W2s. While no one fell for the "dropped" USBs (employees turned them in), the W2 e-mail almost worked, and a few click-on-the-link mock virus attacks got through. The firm later used the findings of the mock attack in firm-wide employee training sessions. And, laudably, the firm does these trainings annually.

Larger firms like this one are increasingly turning to the sort of measures described in the article – now we need to "spread the gospel" to smaller firms.

May 23, 2017

If John and I had a dollar for every time a Mac user has asked us, "Aren't Macs safe from viruses and other malware?", we would be as rich as King Midas. So we were especially pleased to set the record straight with Digital Detectives podcast guest Tom Lambotte, the CEO of GlobalMac IT.

The truth is that Macs are inherently as vulnerable to malware as PCs, but they are less targeted. Although as Macs grow in popularity, they have increasingly been targeted by the bad guys, with some malware developed specifically for Macs.

Tom is a very conversational fellow – easy to listen to – so if you're a Mac lawyer, let a Mac specialist tell you about cybersecurity for Macs!

May 22, 2017

John and I were greatly surprised to find that there was a Bitcoin ATM in our local Shell station. And there was a sheet of instructions for Bitcoin rookies. You can sell or buy bitcoins, use your current bitcoin wallet or create a new wallet. The sheet of instructions included a list of other places where you could find Bitcoin ATMs in the D.C. Metro area including other gas stations, two laundromats and a falafel shop (really?).

Needless to say, we took a photo of the ATM to include in our presentation and took one of the instruction sheets to include in written materials for our presentation. When you have Bitcoin ATMs proliferating, you know this cryptocurrency has gone mainstream.

May 18, 2017

The rules for managing passwords are about to undergo profound changes. InfoWorldreported recently on the coming changes from The National Institute on Standards and Technology (NIST).

NIST's Digital Identity Guidelines (SP 800-63-3) challenges the effectiveness of what has been traditionally considered authentication best practices, such as requiring complex passwords. When most credentials-based attacks no longer bother with brute-force methods, relying on password complexity doesn't really help. When attackers can discover the actual password string via keyloggers, phishing, or other social engineering tactics, it doesn't matter how complex the string is. Attackers can harvest credentials directly from the domain controller while moving laterally through the network, look up passwords from previously breached databases, or intercept passwords transmitted in plaintext.

The public comment period for the password guidelines closed on May 1, but NIST has not yet released the final version, expected in late spring or early summer. The NIST guidelines provide technical requirements for federal government agencies, but they are a helpful blueprint for the private sector to follow as well.

Here's what is out:

Having special composition rules on creating strong passwords (such as requiring both uppercase and lowercase characters, at least one number, and a special character)

Requiring routine password changes for the sake of changing them; passwords should be changed only when there is a risk of compromise

Password hints and knowledge-based questions, such as the name of the first pet, the mother's maiden name, or the high school mascot, as social media and social engineering have made it easy for attackers to use these pieces of information to bypass passwords

NIST recommends administrators leave out overly complex security requirements that make it harder for users to do their jobs and don't really improve security, since frustrated users are more likely to look for shortcuts. For example, users struggle to memorize large numbers of passwords—the average user accesses more than 40 accounts—so they may either write down passwords, which defeats the purpose of having a "secret" password; reuse passwords, which makes it easier to break into accounts; or use variations of existing passwords, which makes it easier for attackers to guess the patterns.

While it's true there are other ways to get passwords, brute-force attacks still exist, so don't entirely give up on complex passwords yet. Enterprises should encourage employees to use a password manager and not try to remember passwords. Even with recent issues found in popular password managers, these applications remain the best tool for creating and storing unique and strong passwords.

Here's what's in:

Users should be able to choose freely from all printable ASCII characters, as well as spaces, Unicode characters, and emojis.

Hash passwords with a salt when storing passwords to prevent cybercriminals from acquiring passwords that are stored in plaintext or with weak hash algorithms.

Password managers only solve the password challenge; they don't address the overall authentication problem when attackers already have the password. NIST also recommends adding another line of defense by turning on multifactor authentication. Attackers typically don't have multiple proofs of identity, such as the user's mobile device or some kind of physical token they wouldn't be able to break in even with a password. However, NIST warned against relying on sending one-time passwords via SMS messages as a form of two-factor or multifactor authentication. SMS can easily be intercepted, so NIST suggests using software-based one-time-password generators, such as apps installed on mobile devices.

The final draft is timely after 2016 when troves of stolen credentials were made public, disclosing more than one billion credentials.

Compounding the problem is the fact that the average number of services registered to one -email account for 25-34-year-olds is more than 40, according credit-checking firm Experian. And on average, users had only five different passwords for those accounts as Experian reported in 2016.

NIST's new thinking makes a lot of sense – and carries good lessons for security administrators in both the private and public sectors. Password fatigue is something we see all the time – NIST is right – there are better ways to protect access to data.

May 17, 2017

Last week, USA Todayreported that President Trump had signed, on May 11th, a long-awaited executive order designed to improve the nation's cybersecurity. Trump's homeland security adviser Tom Bossert said the order is designed to fulfill the president's pledge to "keep America safe, including in cyberspace."

The executive order outlines three key priorities for the Trump administration's efforts in cyberspace: Protecting federal networks, updating antiquated and outdated systems, and directing all department and agency heads to work together "so that we view our federal I.T. as one enterprise network," Bossert said.

According to a report from cybersecurity company Thales, 34% of federal agencies experienced a data breach in the last year, and 65% experienced a data breach at some point in the past. Almost all agencies – an astonishing 96% – reported that they considered themselves "vulnerable" to cyberattack, with 48% saying they were "very" or "extremely" vulnerable.

The primary reports the order demands include an assessment of the nation's critical infrastructure, the electrical grid and the Department of Defense's warfighting capabilities. Different agencies and organizations are given different timelines for when these reports must be completed, but most are due within the next 90 to 240 days. The majority of the reports will be filed with the Department of Homeland Security (DHS), though the reports relating to national security through the Secretary of Defense and the Director of National Intelligence. Those may be classified.

With a global shortage of skilled cybersecurity workers, the order asks the Secretary of Commerce, together with DHS, to review the nation's training programs and to increase the ability to procure more cybersecurity specialists.

The executive orders asks the Secretaries of Commerce and of Homeland Security to lead a process that will improve the resilience of the Internet against botnet attacks and dramatically reduce the threat they pose to the nation's communications. A report on the effort is due within one year.

In general, the order treats cybersecurity as a non-partisan issue and has received positive reviews for following the general trajectory of previous administrations.

May 16, 2017

On May 11th, the American Bar Association released Formal Opinion 477 entitled Securing Communication of Protected Client Information. In summary, it says "A lawyer generally may transmit information relating to the representation of a client over the Internet without violating the Model Rules of Professional Conduct where the lawyer has undertaken reasonable efforts to prevent inadvertent or unauthorized access. However, a lawyer may be required to take special security precautions to protect against the inadvertent or unauthorized disclosure of client information when required by an agreement with the client or by law, or when the nature of the information requires a higher degree of security."

The opinion updates Formal Opinion 99-413 noting that the role and risks of technology have evolved since 1999. That made me laugh - do you think?

It fundamentally says that special protective measures, such as encryption, are warranted under some circumstances.

What's a lawyer to do in this complicated technology world? The opinion offers some guidance. Certainly you want to consider the sensitivity of the information. Scheduling a phone call via text or e-mail is probably fine. Sending a merger agreement without encrypting it is almost certainly not.

The opinion suggests that lawyers should understand how their electronic communications are created, where client data resides and what avenues exist to access that information. Here, I think the opinion asks a lot of lawyers, particularly with understanding what avenues exists to access information – those avenues change all the time.

I do agree that lawyers should understand and use reasonable electronic security measures, but the truth is that the opinion lists things that lawyers generally do not understand, including secure Wi-Fi, the use of a Virtual Private Network, or another secure Internet portal, using unique complex passwords (um, NIST is about to change that), changed periodically (not so much under the new NIST framework expected to be published this summer), implementing firewalls and anti-Malware/Anti-Spyware/Antivirus software on all devices upon which client confidential information is transmitted or stored, and applying all necessary security patches and updates to operational and communications software (most lawyers rely on IT folks to do this and they do not follow Reagan's "trust but verify" approach).

Yes, we should be able to remotely wipe lost or stolen phones. The opinion doesn't state that all phones MUST be encrypted, but that is certainly my belief.

The opinion talks at length about conversing with your client about security, about considering communications with third parties and it does flatly state "if client information is of sufficient sensitivity, a lawyer should encrypt the transmission." It further notes that some laws and regulations require encryption.

Training lawyers and other law firm employees about cybersecurity is a key measure to help protect confidential data. It is imperative that law firms have information security policies which are periodically reviewed. How to review the security of vendors is also detailed in the opinion.

It is certainly very helpful to read this opinion. Because it is a very detailed opinion, it is likely that it will need change sooner rather than later. I do not think that our own state of Virginia would adopt this rule. Virginia has chosen to limit the amount of "specifics" since they are so subject to becoming quickly obsolete. While we teach lawyers about cybersecurity all the time – and lawyers, to their credit, try to understand what we teach – there is a limit to how much a lawyer can be expected to understand about cybersecurity in a world where attack surfaces and attack methodologies change daily.

May 15, 2017

It's always a challenge to boil down the stats and takeaways from Verizon's annual Data Breach Investigations Report (DBIR). The report is based on data from more than 42,000 security incidents and nearly 2,000 breaches across 84 countries. Here are some of major highlights.

Cybercriminals are targeting smaller companies. 61% of the data breach victims in this year's report have fewer than 1,000 employees.

1 in 14 users fall for phishing e-mails. 25% of them fall more than once.

51% of the data breaches involved malware. Ransomware is now the 5th most common form of malware involved in data breaches and the first in what the report calls the Crimeware pattern.

Sensei Enterprises, Inc.

3975 University Drive
Suite 225
Fairfax, VA 22030
703.359.0700

Disclaimer

This blog is intended to impart general information and does not offer specific legal advice. Use of this blog does not create an attorney-client relationship. If you require legal advice, consult an attorney.